I have written quite a few things lately about capturing traffic so why not write another? This time we will be taking a look at capturing data from another key place in the network; the firewall.0
The Cisco ASA firewall has functionality built in that allows the capturing of traffic to onboard buffer. The contents of that buffer can then be viewed or downloaded as a typical PCAP file. Let’s dive right into some examples!
I suggest capturing only with an access list applied to limit the size of the capture buffer as well as to limit the amount of stuff you will have to wade through when reviewing the capture. To get stated simply create an access list. I will be using a simple two line list like this to watch the action between my system and the internet on the HTTP port 80.
asa-host(config)# access-list CAP extended permit tcp host 192.168.1.100 gt 1024 any eq www asa-host(config)# access-list CAP extended permit tcp any eq www host 192.168.1.100 gt 1024
Next, we want to put the capture to work. The minimum syntax is something like this:
asa-host#capture <capture name> interface
That will capture everything seen on that interface. Like I said, I like throwing a filter on it like this:
asa-host# capture TEST interface inside access-list CAPTURE circular-buffer
This will capture only traffic seen on the inside interface that matches the CAPTURE access list. The information is the buffered in a circular buffer meaning that the oldest captured data is pushed out to make room for new once the buffer reaches its size limit.
To view the capture you can do a few different things… First, connect to the asa-host# with your web browser like this:
https://<ASA IP Address>/admin/capture/<capturename>
This prints results:
43 packets captured 1: 14:58:04.958065 192.168.1.100.43253 > 184.108.40.206.80: S 2621750554:2621750554(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> 2: 14:58:04.958385 192.168.1.100.43254 > 220.127.116.11.80: S 3748621921:3748621921(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> 3: 14:58:05.000030 18.104.22.168.80 > 192.168.1.100.43254: S 217068245:217068245(0) ack 3748621922 win 14300 <mss 1380,nop,nop,sackOK,nop,wscale 6> 4: 14:58:05.000350 192.168.1.100.43254 > 22.214.171.124.80: . ack 217068246 win 16560 5: 14:58:05.001007 126.96.36.199.80 > 192.168.1.100.43253: S 1683140320:1683140320(0) ack 2621750555 win 14300 <mss 1380,nop,nop,sackOK,nop,wscale 6> 6: 14:58:05.001251 192.168.1.100.43253 > 188.8.131.52.80: . ack 1683140321 win 16560 7: 14:58:05.001754 192.168.1.100.43253 > 184.108.40.206.80: P 2621750555:2621751089(534) ack 1683140321 win 16560 8: 14:58:05.044980 220.127.116.11.80 > 192.168.1.100.43253: . ack 2621751089 win 241 9: 14:58:05.084620 18.104.22.168.80 > 192.168.1.100.43253: . 1683140321:1683141701(1380) ack 2621751089 win 241 10: 14:58:05.085307 22.214.171.124.80 > 192.168.1.100.43253: . 1683141701:1683143081(1380) ack 2621751089 win 241
This works well for quick viewing but what about a more detailed anylysis with something like Wireshark? Browse to:
https://<ASA IP address>/admin/capture/<capture name>/PCAP
This will prompt you to save or open a file. Save with the “.pcap” extension and open with Wireshark.
When you are done capturing you can (and should!) stop the capture with the negated “no” command:
asa-host#no capture <capture name>
Be sure to check out the help with this command with the “?” command. There are plenty of fine tunning options to accomadate your capturing needs.
asa-host#5510# capture ? WORD < 245 char Capture name asa-host#5510# capture TEST ? access-list Capture packets that match access-list buffer Configure size of capture buffer, default is 512 KB circular-buffer Overwrite buffer from beginning when full, default is non-circular ethernet-type Capture Ethernet packets of a particular type, default is IP headers-only Capture only L2, L3 and L4 headers of packet without data in them interface Capture packets on a specific interface match Capture packets matching five-tuple packet-length Configure maximum length to save from each packet, default is 1518 bytes real-time Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations. trace Trace the captured packets type Capture packets based on a particular type
I hope someone found this useful!